On 07/10/2008, at 1:27 AM, Matt Lepinski wrote:
Geoff,
On the issue of canonicalization -- To the best of my knowledge no
one has put forward a use-case, on this mailing list or at the
Dublin meeting, in which efficient comparison of ROAs is necessary.
Therefore, the only reason to define some sort of 'canonicalization'
is to simplify comparison between the addresses in a ROA and an EE
cert. It is possible that requiring prefixes to be lexiographically
sorted makes it easier for relying parties to compare a ROA with its
coresponding EE certificate [at the cost of slightly more work for
the relying party]. Therefore, I have a weak preference for
requiring ROA prefixes to be lexiographically sorted. However, I
have a strong preference for finishing the document, so I'm willing
to go along with Geoff's proposal (i.e. No canonical ordering).
While we're on the topic of comparing ROA prefixes to those in EE
certificates: Currently, the ROA format draft specifies an exact
match between the prefixes in a ROA and the prefixes in the EE cert,
and this text is a bit ambigous as written (for which I am to
blame). As was pointed out at IETF 72 we have the following issue:
One might reasonably create a ROA containing 10.0/16 and 10.1/16.
However, RFC 3779 specifies that if one were to create an EE cert
covering these addresses that the IP address extension would contain
the single prefix 10.0/15.
So if by "exact match" we mean a simple bit-wise comparison, then
10.0/16 and 10.1/16 cannot be present in the same ROA (they would
need to be split into two separate ROAs, which is clearly
inefficient) and if by "exact match" we mean 'logically the same set
of addresses' then it's not clear what the "exact match" requirement
is buying us.
At IETF 72, George Michaelson suggested that the proper requirement
is that each prefix in the ROA is a logical subset of a prefix in
the EE certificate. This is at least as easy to implement as testing
whether the ROA and EE cert contain the same 'logical set of
addresses' and nicely resolves the issue of needing to break apart
authorizations into a (potentially) large number of ROAs.
WG chair hat off once more:
Yes, if the text in section 3, step 3 of the draft was altered to use
the term "encompass" such that the IP addresses prefixes in that
extension encompasses the IP prefix(es) in the ROA I would agree that
would be a suitable resolution.
regards,
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
